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The LEGO Group’s contribution to the 
Information Commissioner's Office call for evidence: 
Age Appropriate Design Code 


rst and foremost, the LEGO Group welcomes the inclusion of Article 123 of the UK Data Protection Act 2018, 
requiring the Commissioner to prepare a code of practice on standards of age-appropriate design of relevant 
formation society services which are likely to be accessed by children. 


addition, we welcome the integration of the requirement that the design of services should meet a child’s 
development needs into the legal definition. We believe that these needs should be considered from both the 
ngle of the protection of the interests, rights and freedoms of the child as well as due consideration of methods 


that deliver positive contributions to children’s development and learning, some which may require data to be 


processed. 


Finally, we welcome the opportunity to contribute to this important discussion and look forward to supporting 
the delivery of a design-code that has children’s best interests at its core. Before entering into the specific 
proposals, questions and principles as set out by the Consultation paper, we would like briefly to summarise the 
LEGO Group’s approach to engaging with children. 


The LEGO Group’s approach to engaging with children 
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A positive role for data in children’s development: 


e = It is, though, also important to state that at the same time as prioritising safety it is also our company mission 
to inspire and develop the builders of tomorrow; enabling and empowering children, through playful 
experiences, to learn, develop and maximise their creative potential. 


e And when we look to the future, we see digital as being of increasing importance in allowing us to achieve 
this. 


e In the future it is likely that data could well become an enabler of children’s agency, education and 
development and so we are keen to strike a balanced, forward-looking approach here. The principle of 
proportionality, where the appropriate protections for the data subject are to be decided according to a risk- 
based assessment that takes full account of children as vulnerable subjects, is fundamental. 


e And so, we continue to champion the adoption of a framework that recognises and respects children’s 
interests, rights and freedom, including the need for specific protections, while acknowledging that certain 
demonstrable developmental benefits generated by data processing, under certain conditions, should be 
accessible to children in the future. 


e We believe the definition in the Data Protection Act of “age-appropriate design” as the ‘means the design of 
services so that they are appropriate for use by, and meet the development needs of, children’ recognises 
that the development needs of children are not solely to be found in protection from risk, but also in the 
embracing technological opportunities from data where it has value for children’ development. 


e Tobe clear, this is not advocating a relegation of the importance of safety. It is absolutely correct that as 
young children today are exposed to the rapid technological developments taking place and the 
unprecedented levels of digital immersion that the potential for negative impact is well understood and 
resolutely addressed. 


e Our position is an encouragement to policy makers to consider a balanced approach, that acknowledges that 
ostracising children from the future benefits of data may not meet their development needs. 


An opportunity to incentivise good design practice 


e = Lastly, we also believe that the ICO’s work and the development of the age-appropriate design code 
represent a significant opportunity to advocate good and best practice, as well as discouraging and 
penalising poor practice. 


e We have for some time advocated that policy-makers and regulators explore a meaningful and fair way to 
support children and parents in their efforts to identify ISS that are in the best interest of children. This could 
include a process for regulators to highlight those who embrace best practice with smart, considered 
protections for children. 


Important Principles for the age-appropriate design code 

e We support the adoption of a separate and specific approach to the processing of children’s data. One that 
is built for children. One that recognises the need for specific protections to safeguard children’s interests, 
rights and freedom as vulnerable persons, while also acknowledging that the value generated by data 
processing should be accessible by children in the future, under the right conditions and, where appropriate, 
with parental oversight. 


e Wewould recommend placing the following principles at the heart of this Code. 


e = Child-centred: The Code should place children’s best interests at its core. 
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and we also acknowledge the importance of empowering and educating children around choice and 
agency; 

e Value: Acknowledge that data collected and processed under the right conditions can, in some cases, 
contribute to children’s development needs, particularly in skills development, education and learning; 

e Advocating behaviours: A Code such as this represents an opportunity to encourage ISS that are likely to 
be accessed by children to promote positive behaviour among their users. 

e Playful, creative and innovative: The Code should be built upon a strong understanding of how children 
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Q1A. Please provide any views or evidence on how appropriate you consider the above age brackets would be in 
setting design standards for the processing of children’s personal data by providers of ISS {online services), 
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involvement than a plus-13 platform. As such, any prescriptions for design based on banding should reflect 
these higher levels of parental involvement, particularly when it comes to the possibility to turn on 
processing of data. 


e There are also clear benefits of a more granular approach to age banding. Primarily it allows processing of 
children’s data, design standards and safeguards to deliver a gradual evolution of children’s relationship with 
data and ISS. This would reduce the likelinood of a ‘cliff edge’ scenario where children go from a highly 
protective environment into a data ‘regime’ that is designed for an adult audience. 


e Lastly, itis worth sharing a practical example of the application of the age brackets suggested for the LEGO 
Group. LEGO® Life, our social app, is designed for an audience ranging primarily from 8-12. This transitions 
two of the recommended bandings, so we assume it would be required to conform to the principles set out 
at the lower of the two bands. This would be important to qualify for ISS straddling more than one band with 
a single service. 


The United Nations Convention on the Rights of the Child 


The Data Protection Act 2018 requires the Commissioner to take account of the UK’s obligations under the UN 
Convention on the Rights of the Child when drafting the Code. 


Q3. Please provide any views or evidence you have on how the Convention might apply in the context of setting 
design standards for the processing of children’s personal data by providers of ISS {online services) 


e As we have stated we have, since 2015, had a global partnership with UNICEF to support the integration of 
the Convention on the Rights of the Child and the Children’s Rights and Business Principles into our 
operations and digital engagements with children. 


UN Convention on the Rights of the Child: 
e §=Of principle importance in this case are: 


e Article 1 (definition of the child) Everyone under the age of 18 has all the rights in the Convention. 
e Article 3 (best interests of the child) The best interests of the child must be a top priority in all decisions 
and actions that affect children. 
o Aright that will sit at the centre of this Code and should dictate safeguards as well as a 
recognition of value derived from data. 
e Article 5 (parental guidance and a child’s evolving capacities). 
e Article 12 (respect for the views of the child). 
o This we believe is particularly important in the design process of the Code. 


èe Article 13 (freedom of expression). 

e Article 15 (freedom of association). 

e Article 16 (right to privacy). 

e Article 29 (goals of education) Education must develop every child’s personality, talents and abilities to 


p e Again, this we believe can be embraced to acknowledge that data could play a positive role in 
children’s development if processed under the right conditions. 
Children’s Rights and Business Principles: 
e Of importance in this case are: 
e Principle 4. Ensure the protection and safety of children in all business activities and facilities. 


e = Principle 5. Ensure that products and services are safe and seek to support children’s rights through 
them. 
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e Principle 6. Use marketing and advertising that respect and support children’s rights. 


Aspects of design 


We will take the List items submitted by the UK Government and address all questions within each item: 


Q4. Please provide any views or evidence you think the Commissioner should take into account when explaining 
the meaning and coverage of these terms in the code. 

QS. Please provide any views or evidence you have on the following: 

QSA. about the opportunities and challenges you think might arise in setting design standards for the processing 
of children’s personal data by providers of ISS (online services), in each or any of the above areas. 

QSB. about how the ICO, working with relevant stakeholders, might use the opportunities presented and 
positively address any challenges you have identified. 

QSC. about what design standards might be appropriate (ie where the bar should be set) in each or any of the 
above areas and for each or any of the proposed age brackets. 


Data Minimisation Standards 


Considerations 


e The principle of data minimisation is enshrined in Article 5 and 25 of the GDPR requiring that personal data 
shall be: 


e adequate, relevant and limited to what is necessary in relation to the purposes for which they are 
processed (‘data minimisation’); 


e Taking into account... the nature, scope, context and purposes of processing as well as the risks of 
varying likelihood and severity for rights and freedoms of natural persons posed by the processing.... 


The wording does not directly reference children but does reference consideration of the risks for the natural 
persons, which infers the recognition of children as vulnerable persons. It is not clear though how the principle 
of data minimisation differs in the context of the child. It is hard to extend this to require more adequacy, 
more relevance and greater limits than what is necessary. The bottom line being that the definition of 
adequate, relevant and necessary should be strictly adhered to. 


Our approach to data minimisation has been one of low data collection and use. For example, our social app, 
LEGO Life, has a series of default safeguards that go to significant lengths to protect children, both in terms of 
data collection and processing as well as a broader harm-mitigation approach. 


e LEGO Life was referenced in the UK Government's Internet Safety Strategy Green Paper as part of Chapter 6. 
How can technology improve online safety for all users? There it stated that: 


In 2017, the LEGO Group launched their social themed app, LEGO® Life. The app is designed for 
younger children, particularly those from ages 8 -12, and it aims to inspire children to build and 
share their creations in a high-safety, high-trust environment. LEGO® Life applies the principle of 
safety-by-design, as well as introducing children to some of the more positive features found in 
other social platforms, demonstrating how social media sites can enrich their lives through 
sharing with family and friends. 


The app is now available in 18 countries around the world and has over 3.2 million downloads. In 
addition to this, in 2018 the LEGO Group will launch a Parental App, Hub and Dashboard, taking 
a further step in securing the peace of mind of parents as well as providing them with more 
opportunities to share in the creative experience with their children. 
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e LEGO Life does indeed adopt a safety-by-design and privacy-by-design approach, currently minimising the 
collection and use of children’s data and supporting children’s privacy by: 
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filtering and manual intervention. We have highly trained moderators 


e Encouraging children to interact with UGC created by other LEGO Life children through a unique set of 
expressive LEGO Emoticons and Stickers. This allows for instant engagement without elevating the risk 


of bullying through negative or harmful comments. These have also proven to be very popular. 


e In reference to the challenges that data minimisation poses, there remains the principle challenge that the 
necessary detection of the age of a child in order for an ISS to understand which age-band it needs to abide 
by could well be data heavy. Indeed, the ability to do this rigorously and with demonstrable accuracy would 
potentially require the processing of significant additional data. This presents a challenge to the principle of 
data minimisation, particularly in the context of children. 


Recommendation: 


e To ensure that the principle of data minimisation is respected, and that ISS processing of personal data is 
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed, 
we would recommend the strong encouragement of data protection impact assessment (DPIA) at the point 
of design for ISS. In Annex 2 of the Article 29 Working Parties Guidelines on Data Protection Impact 
Assessments it recommends that a DPIA address criteria relating to necessity and proportionality, including 
what is adequate, relevant and limited to what is necessary data. 


The presentation and language of terms and conditions and privacy notices 


Considerations: 
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e Recital 58 of the GDPR states that “Given that children merit specific protection, any information and 
communication, where processing is addressed to a child, should be in such a clear and plain language that 
the child can easily understand.” 
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e Data protection law is a complicated subject and delivering it in a way that can be easily understood is a 
challenge, particularly when you consider the younger end of the age spectrum, where risk and consequence 
are less understood. 


e =|t should also be again acknowledged that ISS offered directly to a child under the age of 13 will also require 
communication of data processing activities to parents primarily to enable VPC to work effectively. 


e However, we recognise the position of the A29WP that ‘children do not lose their rights as data subjects to 
transparency simply because consent has been given/ authorised by the holder of parental responsibility’ and 
believe efforts should still be made by the ISS to protect the interests and rights of a child through 
transparent behaviour. 


e = |t does appear though that to get close to a point of easy understanding, particularly for younger children, 
the method and manner of communication will have to move some way from what we understand today to 
be Terms and Conditions and Privacy Policies and the legal purpose that they serve. 


Recommendation: 


e Our recommendation is that, despite the challenges, the ICO should encourage an ambitious approach, 
grounded in innovation, testing and a deeper understanding of how children effectively learn and absorb 
information. 


e The ICO could undertake an examination of methods, tested and built with children, from which 
recommendations can be made on possible approaches that can be employed by ISS. The A29WP in their 
Guidelines on Transparency suggested the possible employment of ‘user panels, readability testing, formal 
and informal! interactions and dialogue with industry groups, consumer advocacy groups and regulatory 
bodies, where appropriate, amongst other things’ but of upmost importance is the inclusion of children. 


e Wealso encourage the ICO to reaffirm the recognition from the A29WP that ‘with very young or pre-literate 
children, transparency measures may also be addressed to holders of parental responsibility given that such 
children will, in most cases, be unlikely to understand even the most basic written or non-written messages 
concerning transparency’. 


e We believe there should be the freedom for each ISS to deliver a personalised approach according to the 
culture, spirit and style of the ISS. Strict limitations on approaches employed would not be desirable at this 
stage and could potentially remove aspirations for ISS looking to excel and differentiate themselves in this 
space. 


e The assessment of whether something is easily understood should take full account of the efforts and 
resources employed by ISS in attempting to reach this ambitious bar. 


Automated and semi-automated profiling 


Considerations: 


e We remain very aware of sensitivities related to the discussion of profiling of children, as well as the 
associated risks and protections. 


e The definition of profiling in the GDPR Article 4(4) states that ‘profiling’ means any form of automated 
processing of personal data consisting of the use of personal data to evaluate certain personal aspects 
relating to a natural person, in particular to analyse or predict aspects concerning that natural person's 
performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, 
location or movements; 
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e Given the breadth of this definition we believe that an ISS’ ability to conduct profiling in the context of 
children should again be grounded in a contextual, risk-based assessment, with a clear acknowledgement of 
the presence of specific protections for children as set out in the GDPR. 


e = The Article 29 Working Party adopted Guidance in October 2017 stating that ‘Article 22 does not prevent 
controllers from making solely automated decisions about children, if the decision will not have a legal or 
similarly significant effect on the child’. 


e They were also very clear that, from Recital 38, children do merit specific protection and that ‘Such specific 
protection should, in particular, apply to the use of personal data of children for the purposes of marketing 
or creating personality or user profiles and the collection of personal data with regard to children when using 
services offered directly to a child.’ 


e We would highlight again the active involvement of parents in the processing of the data of a child under 13 
in the UK, due to the requirement for verified parental consent, where the legal basis for processing data is 
consent. We believe that this should be recognised as a specific protection and have some impact on the 
balancing act weighing up the interests, rights and freedoms of children in the context of profiling. 


e We do recognise that profiling in the context of children would in certain circumstances deliver a 
demonstrably positive impact on children’s well-being and development. 


e To be clear, a risk-based approach would not permit all types of profiling. As we say above some forms of 
automated profiling at scale should be safeguarded against and a risk-based approach would achieve this, 
not because it is profiling per se, but because of the risk associated with it. 


Recommendation: 


e Wedo not believe there should be a broad prohibition of profiling on ISS likely to be accessed by children. 
Instead we believe that ability of the ISS to conduct profiling in the context of children should again be 
grounded in a contextual, risk-based assessment, with a clear acknowledgement of the presence of specific 
protections — such as mandatory DPIA and Parental Consent for under 13 - for children as set out in the 
GDPR. 


e There could be some recognition of the difference between “bad profiling” and “good profiling” wherein if 
you can protect a child by doing profiling (e.g. automated processing) it should be permissible for an ISS. We 
use automated processing, for example, to filter pictures that have violent characters or obscene images 
and it would be very difficult to protect children online if we were not allowed to do so. 


Transparency of paid-for activity such as product placement and marketing 


Considerations: 


e There is significant existing legislative and self-regulatory governance of transparency requirements for 
commercial practices from business-to-consumer, including marketing and product placement that extend 
to ISS. 


e The EU UCPD that governs B2C unfair commercial practices, enshrined in UK law by The Consumer 
Protection from Unfair Trading Regulations 2008, defines misleading omissions in Article 7 as practices that 
‘in its factual context, taking account of all its features and circumstances and the limitations of the 
communication medium, it omits material information that the average consumer needs, according to the 
context, to take an informed transactional decision and thereby causes or is likely to cause the average 
consumer to take a transactional decision that he would not have taken otherwise.’ 


e The AVMSD, that is in the process of completing its revision, governs the application of the marketing, 


sponsorship and product placement in linear and non-linear audio-visual content. It is anticipated that the 
revised version will apply to video-sharing platforms. 
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e Marketing, sponsorship and product placement has a strong self-regulatory framework, governed in the UK 
by the Advertising Standards Authority & Committee of Advertising Practice. UK applicable CAP Code of Non- 
broadcast Advertising and Direct & Promotional Marketing contains comprehensive rules on Recognition of 
Marketing Communication the scope of which extends to cover a significant quantity of online services 


e CAP has recently published additional Guidance to companies on the Recognition of advertising: online 
marketing to children under 12. Where it states that ‘Marketing communications that do not adequately 
make clear their commercial intent, either through the context in which they appear or through disclosures, 
are likely to breach the Code’ and that ‘While much marketing is obvious by its nature and/or format, some 
formats need further, “enhanced” disclosure to help younger children understand their commercial intent’. It 
goes on to Set out the requirements for enhanced disclosure. 


Recommendation: 


e = There is clearly a significant existing body of rules relating to the need to make clear the commercial intent 
and nature of commercial activities. There is also significant guidance on how to do so. 


e The challenges appear reflect the question of whether to extend such requirements to children above the 
ages set out in legislation and self-regulatory codes; and which regulatory body should ultimately take that 
decision. It has been to-date in the remit of ASA to make such decisions relating to marketing practices in 
the UK. 


e While the legality and appropriateness of data processing activities involved in the delivery and experiencing 
of marketing practices fall under the ICO’s remit, it is not clear that the guidance on the identification, 
content and method of marketing do. 


The strategies used to encourage extended user engagement 


e We were keen to just add one concise reflection in this section which focuses less on strategies used to 
encourage extended user engagement and more on strategies to counter extended user engagement. 


e LEGO Life was designed as an augmentation and social tool that was layered over the physical play 
experience. The tool creates a space to share and digitally interact with builds that have been created 
through physical play activities. In other words, the app does not function optimally unless children have 
spent time off the app, playing, building and creating. While we recognise that a model that connects the 
functionality of the ISS to children’s time spent being elsewhere is perhaps not appropriate for all, it is 
interesting again to consider innovative ways to limit extended user engagement by-design. 


END 
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Q6. If you would be interested in contributing to future solutions focussed work in developing the content of the 
code, please provide the following information. The Commissioner is particularly interested in hearing from bodies 
representing the views of children or parents, child development experts and trade associations representing 
providers of online services likely to be accessed by children, in this respect. 


None: 
mai 
Brief summary of what you think you could offer: 


The LEGO Group and the LEGO Foundation have over 80 years’ experience supporting the growth, development 
and well-being of children all within a safe environment. We are a globally recognised and trusted brand primarily 
engaging with children under-13. We have a well-established safe, social app for younger children in LEGO Life. 
This features a lot of the safety and privacy by design components referenced above. We are also constantly 
exploring how best to communicate important messages to children, both related to privacy but also about what 
behaviours we would love to see them embrace. 


| would see our ability to support the ICO’s efforts as focusing on the following areas: 


e Support the development of effective child-tested communication methodologies grounded in 
children’s learning patterns. 

e Supporting the development of a mechanism for the incentivisation of good practice in this space. 

e Development of a concept of “developmental value” of data processing and use, including in the 
context of profiling. 
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Section 2: About you 


Are you: 


A body representing the views or interests of children? 
Please specify: 


A body representing the views or interests of parents? 
Please specify: 


A child development expert? 
Please specify: 


A provider of ISS likely to be accessed by children? 
Please specify: 


A trade association representing ISS providers? 
Please specify: 


An ICO employee? 


Other? 
Please specify: 


Thank you for responding to this call for evidence. 
We value your input. 
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